On 2013-06-10 at 14:56 +0000, Zuleger, Holger, Vodafone DE wrote: > The Certificate provided by spodhuis.org authenticates the target > mx.spodhuis.org, > but not the query domain (which is spodhuis.org).
To be clear: for mail delivery, you want: http://tools.ietf.org/html/draft-ietf-dane-smtp-01 The SMTP case is not quite the same as the SRV case, thus there being a distinct draft to cover it. The SRV text doesn't quite match MX practice; historically, there's been *no* default verification of certificate hostname for MX delivery, because nobody could agree even on what should be, or could safely be, validated. The server for spodhuis.org also handles a number of other domains and it would be inappropriate to pick one, or to reissue the cert as domains come and go. This is the fundamental issue which led to solution of validating the _target_ domain. In the text you cite, the "MUST" is for clients that cannot perform DNSSEC validation, to attempt to preserve backwards compatibility for some fairly common cases where there's a 1:1 mapping between domain at hostname (target domain) servicing the domain. The SMTP draft references only chapter 3 of the SRV draft. -Phil _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
